Cyber Security Related Excerpts from the Global Risk Forum Berlin September 25-26, 2013 Draft 10/24/13

Transcription

1 Cyber Security Related Excerpts from the Global Risk Forum Berlin September 25-26, 2013 Draft 10/24/13 Forwarding an International Public-Private Framework for Cyber Security & Resilience: With Increasing Cyber Impacts, Creating a Truly International and Public-Private Framework for Cyber Security & Resilience is Imperative. Session One - Clarifying Challenges & Identifying Key Elements for an Effective Cyber Framework To understand security and resilience on the Internet a participant explained, When we talk about cybersecurity and internet infrastructure, it s important to understand what elements of it changed our social and economic lives. Internet invariants include: Global connectivity and integrity (global reach and consistent view from any point) Permission-free innovation (yet undiscovered functionality) Accessibility (anyone can contribute and become part of it) Spirit of cooperation (foundation for evolution and resiliency - 80% of network operation agreements aren t contract-based) The security landscape complexity is comprised of a number of issues: Open platform / open to attack and intrusion Permission-free innovation / development and deployment of malware Global reach / attacks and cyber crime are cross-border Voluntary collaboration / hard to mandate There are a number of ways we search for safety: Risk management approach (there is no absolute security) Managing inward and outward risks (shared risk management and collective responsibility), for example: we talk about DDoS attacks. They are so easy a kid can do them. They re possible because of weaknesses in the IP system. Some ISPs allow IP spoofing. There s no incentive for them to prevent IP spoofing, because it doesn t help their network personally. But it is a huge threat to the rest of the ecosystem. Preserving the Internet Invariants (protecting the opportunities for growth and prosperity) Fragmenting the internet creates as many problems as it solves. Ingredients for cyber security solutions include international cooperation (most issues are cross-border) and preservation of Internet values. Another remarked on cyber security trends, We see a move towards collaboration, but mostly it s bilateral or regional so far. EU has an initiative, the African Union has made some progress. We also see tensions. People are worried about security and their data being seen. There are risks of fragmentation if we don t resolve these issues. What we think we need is a globally inclusive debate that avoids a cycle of pushing and backlash, and avoiding a digital Hindu Kush. The global environment is not isolated. We don t want to build a stable multinational system that can be attacked by someone with a server in some small isolated, unreachable country. So we must involve all countries. 1

2 Another noted, Cyber security is a slippery term, but it s really related to information security. It s important to understand that it s not just a technological issue. It s too important to be left to technical people. It s physical, and it s involving more traditional issues. A participant remarked, The EU is rather different for those of us used to dealing on the national political level. The EU body is not like a national cabinet, where more or less everyone has the same priorities. A country comes in with its own interests represented by its own commissioner. And other commissioners are pulling in different directions. The Internet Security Alliance may have a better approach, bundling the interests of the private sector into one unified voice, rather than the auction house atmosphere of the EU commission presently. In discussing cyber security versus information security, the question was raised as to the definition of cyber security and how it differs from information protection. In the EU it s more about privacy. In the U.S. it s more about critical infrastructure protection. Even in the insurance industry, in the U.S., insurance thinks cyber is about notification after breaches, but the government still thinks it s all critical infrastructure. Session Two - Towards a Cyber Security Framework the Proposed U.S. Model: Using the proposed U.S. framework as a Straw Man to identify potential approaches, weaknesses and gaps In opening this discussion the point was made that all of us born before 1980 or so are digital immigrants. The majority of people alive today were not born into the digital world so we don t get this stuff naturally and neither do those responsible for making policy around it. A participant noted, We have to deal with this like we re living through the invention of gunpowder. There are DHS reports that say that following good cybersecurity practices will make you more efficient and more profitable. That s actually not true! Going digital, having long supply chains, bring-your-own-devices, cloud computing, makes you more profitable but yet less secure. We must manage both of these. The point was made that the technology is under attack and we need to focus on the economics and the public policy solutions, not on defense by building bigger walls. It is estimated that there are 3 million different malware programs running around in the world. Each person will generate 5200GB of data within a few years. A participant argued, I don t agree that only the major European countries can be persistent in this effort. Some of our leading countries are very far behind on cybersecurity. We need decisions and rules, and don t have them. We could be talking about this for the next 20 years without anything happening. He went on to say, This EU directive is very, very vague. NATO is in a little bit better shape. They have several million incidents daily, and they at least check some of them out. Hungarian cyber security has worked on this for more than three years. They are most interested in prevention. We have to change the mindset. Another participant, drawing on both his public sector and private sector experience, indicated that when you analyze actual attacks you see there are about 90 attacks a year on major organizations. When you investigate these more closely you see that a lot of these are caused by poor security hygiene, such as bad passwords and system misconfigurations. 2

3 He continued, What I find is, the compliance route has some benefit sometimes. What really for this environment matters is people coming together and creating environments in which they can collaborate and then underpin that environment with services that allow them to paint a picture of situational awareness. It s about two-way information sharing. What do you share? What s actionable? If you re dealing in these environments, what insights can you see and what can I do about it? If you ve got the Syrian Electronic Army or Anonymous, and you see the pattern of an attack forming, you re in the moment. Suggested key takeaways were: Define who we re trying to approach, What is critical -- disruption of service, loss of life, economic damage What is the outcome we re trying to achieve What do you really want reported out from your organization? How much monitoring do you want? How much can you get? The participant went on to explain, Frameworks help you think through the challenges. The voluntary approach lets people apply it to their own standards. You have to have an ecosystem of intelligence collection and processing. Boards want to know what the impact is. If the intel framework isn t delivering it -- you have to process the governance part. The evolution of the U.S. approach was laid out this way: Bush administration, hands off the internet Obama first term - expanded DHS authority over Cyber Infrastructure to mandate adoption of federal security standards and mandatory notification of incidents with possible penalties Obama second term - voluntary program focuses on industry developed standards reinforced by government incentives. A participant noted, The EU and U.S. have diverging strategies. Blaming the victim encourages more attacks. Public penalties encourage punitive attacks. Regulation is an outdated model to address the modern cyber threat. Government and industry assess risk differently..the problem is that we re not Cyber Structured. In 95% of organizations the CFO isn t directly involved in information security. Twothirds of companies don t have risk plans. Less than half don t have a formal risk management plan. A third of those who do don t consider cyber in their plan. It was explained that the U.S. framework does five things: 1. makes organization-wide decisions 2. establishes a target profile 3. establishes a current profile 4. compares target and current profiles 5. implements target profile The organization must have a full risk management cycle: identify, protect, detect, respond, recover. The framework implementation tiers are: 0 - partial 3

4 1 - risk informed 2 - repeatable 3 - adaptive It was also pointed out by a participant that the U.S. proposed framework falls short: It has no communication of what constitutes voluntary adoption or implementation It lacks guidance to enterprises to prioritize implementation There is no insight into how critical CBA will be integrated There is no workable risk assessment tool Some participant reactions to the proposed U.S. framework included: If we can show that we re up to date with the latest standards, how do you get a heart-beat monitor of how your firm is doing on Cybersecurity -- as opposed to just compliance one time. I want an operational risk assessment. If I don t understand the landscape I m operating in, I only have half the job done. There re hardly any international standards on this. They might be useful to some extent, but if you have a more global footprint for this, it s more difficult. We think security has to be cheaper and easier in order for it to be sustainable. In this world we have a problem which is that it is not limited to borders, and bad actors that are not either. Lots of companies are not just sitting in a single country. IT doesn t support the business anymore, IT is the business. If that s so, then cybersecurity isn t just an add-on, it s got to be central. This isn t an IT issue, that s right, it s got to be enterprise risk. Break-Out Sessions on Key Cyber Security & Other Issues The whole world is following a failed cybersecurity strategy. The reason we re talking about this is that we re coming to rely on cyber technologies for our daily safety and wellbeing, and at the same time these technologies are extremely vulnerable to exploits in an intercontinental range. When we look at the security space, we must think about the levers of risk management. What can we look at to change the risk? Threat mitigation, vulnerability mitigation, and consequence mitigation. IT s not a good tactical tool to put numbers in the formula I m about to present, Risk = threat * vulnerability * consequence. There s a strategic truth to this. The multiplication function here is that if any of these variables is moved to zero, then the risk is zeroed out. However, it s impossible to reduce risk to zero with cyber. We ve been so focused on vulnerability mitigation that we ve been ignoring threat and consequence mitigation. My first suggestion is that bad guys are using the least sophisticated tool in their toolbox often times. So if you deny them access from one means, there may be many others. 4

5 Vulnerability mitigation measures work well against crimes of opportunity. When there s no fungibility in a target, we tend to not reduce vulnerability, but reduce threat or consequence. It s like installing an alarm in your house -- once you ve defeated the perimeter, the alarm is a signal to the intruder that we re detecting you and about to confront you head on. You don t set off an alarm and then have the alarm company call a locksmith to fix the lock -- you call the police to stop the intruder. In the tech world this is made complicated by the fact that the landscape is changing so quickly. The design elements and protocols on the internet were never really designed for threat deterrence. So the original element of the internet was interoperability, then bandwidth, then speed, then privacy. Privacy is difficult to talk about because we want to give good guys privacy, but bad guys get attribution. Is it possible to make design elements that do this? Provide privacy assurance and deviance attribution? It s possible that the areas of the network that need the greatest security may require the least privacy. The power grid, for example. The power grid needs no privacy -- in fact we want to be quite sensitive to who is using parts of it. That s very different from Twitter or or voice. This is a concept of being able to define specific systems and services, not just one large solution set. Report Backs, Conclusions & Next Steps to Advance Collective Action In discussing liquidity and payments systems in financial services from a vulnerability point of view a participant explained, The networks are very hardened. But the end-users are pretty insecure. The market would not withstand an integrity violation in digital money. We ve been moving towards a risk management model, where everyone gets to decide for themselves what their most sensitive information is. There isn t any standard metric for distinguishing ROI on cybersecurity efforts. I would posit to this group that this is not an effective way of looking at strategy. We started out with diminishing returns on security spending, where now I think we ve got negative returns, where things we re doing are making it worse. There s a lot of thinking that there are escalating costs without any real gains since we can t measure success in a meaningful way. 5